Permalink
Show file tree
Hide file tree
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Showing
2 changed files
with
196 additions
and
72 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,81 +1,81 @@ | ||
| #LEAP | ||
| LEAP: Local Enumeration And Privesc. By Ben Roxbee Cox, Oliver Fulong, Omar and Andrei. | ||
|
|
||
| # Introduction | ||
|
|
||
| In this group project we are going to do enumerations which is to gather information from the local system as much as possible, also we are going to discover some privilege escalation methods. We are going to build our tool to run Linux and Windows operating systems. Everyone of us will work independently to build and design his own tool. However, we will contibute some functionalities to each other's projects. | ||
|
|
||
|
|
||
|
|
||
| # LEAP | ||
|
|
||
|
|
||
| #Discusions | ||
| During the first meeting we decided all of the names and file trees that we will | ||
| work with. For the function naming convention, we decided that all | ||
| Windows enumarators will be named winEnumUsers and all Linux enumarators will be | ||
| called linEnumUsers. For the file tree we chose that all programs will be in /src | ||
| work with. This included having seperate sub directories for the Linux and Windows plugins. | ||
| We agreed that all enumerations would be inside one file, but priv escs would have their own file. | ||
| For the function naming convention, we decided that all | ||
| Windows enumarators will be named winEnum{name} and all Linux enumarators will be | ||
| called linEnum{name}. For the file tree we chose that all programs will be in /src | ||
| directory, Windows and Linux will each have a sub directory, the enumeration script | ||
| will be in /src, the enumeration plugins will be in only one file and each plugin | ||
| will have its own class. | ||
| will be in /src, the enumeration plugins will be in only one file, | ||
| but priv escs would each have their own file. | ||
|
|
||
| #LEAP | ||
| LEAP: Local Enumeration And Privesc. By Ben Roxbee Cox, Oliver Fulong, Omar and Andrei. | ||
|
|
||
| ## Plugins | ||
| This project uses a number of plugins in order to carry out the enumeration and priv esc. Each plugin will be written by one author and then integrated into the the other projects. | ||
| ## Enumaration | ||
| ### Windows | ||
| #### checkIfAdmin | ||
| **Author: Oliver Furlong** | ||
| This plugin will check to see if the user already have admin privillages. Just in case. | ||
| This function will return True/False and LEAP will ask if enumaration should still run if True. | ||
|
|
||
| #### Host Information | ||
| **Author: Andrei Ciobotaru** | ||
| This plugin will gather information about the host such as Operating system, Kernel Version, and Host name. | ||
|
|
||
| #### appsNServices | ||
| **Author: Oliver Furlong** | ||
|
|
||
| #### fileInfo | ||
| **Author: Oliver Furlong** | ||
| Will enumarate the file system to gather information on file permissions, if any potentially sensitive files can be read, if the user can read files from other users etc. | ||
|
|
||
| #### Network Information | ||
| **Author: Anrei Ciobotaru** | ||
| A plugin to gather network infomration such as IP address, MAC address, the name of the WiFi the target is connected to. | ||
|
|
||
| ### Linux | ||
|
|
||
| #### checkRoot | ||
| **Author: Ben Roxbee Cox** | ||
| This plugin will check to see if the user already have root privillages already. Just in case. | ||
| This function will return True/False and LEAP will ask if enumaration should still run if True. | ||
|
|
||
| #### cronInfo | ||
| **Author: Ben Roxbee Cox** | ||
| Returns infomration about Cron jobs. This infomation could be useful because if a running Cron job has incorrect file permissons an attacker could manipulate the file to exploit the local system. | ||
|
|
||
| LEAP: Local Enumeration And Privesc. Framework for 4061CEM project. | ||
|
|
||
|
|
||
| ## What is here? | ||
|
|
||
| Not much. | ||
|
|
||
| This project requires you to generate most of the actual code | ||
| yourselves. To start with, each team should work on a fork of this | ||
| repository together to define the common features of the individual | ||
| pieces of functionality - we'll refer to them as "plugins". This is a | ||
| kind of **design by contract**, which you can read about here: | ||
| <https://www.sciencedirect.com/topics/computer-science/design-by-contract>. Some | ||
| things to decide might be: | ||
| - Will each piece of functionality be in a separate file or subdirectory? | ||
| - Will your team have a naming convention? For example, maybe all | ||
| windows enumerators will begin with "wEnum_", linux with "lEnum_" | ||
| and so on. | ||
| - What will each function return or display? Will each function | ||
| print out to the user? Or will it return a block of text in a | ||
| string? Or a list of lines? Or maybe a dict with some meta-info | ||
| (version, plugin name, plugin author, date, time, etc.) and text | ||
| data? Or JSON? All are possibilities. | ||
| - Will you have a standard set of parameters to be passed in? Or can | ||
| each plugin have a different set of required parameters? | ||
| - What plugins will be implemented? Who will be the author? | ||
|
|
||
| You should document these decisions here in the `README.md` file. Once | ||
| you are all happy with this, stage, commit and push it to your shared | ||
| fork. Then, each team member can begin writing their own tool by | ||
| creating an individual fork or using branching. Naming your tool | ||
| something sensible and uniquely identifiable at this point will be | ||
| very helpful. If you all keep the simple name "LEAP", you will might | ||
| it tricky to remember which repository you are working on later. You | ||
| can call your own fork whatever you like. | ||
|
|
||
| When the individual tools are working and each team member has their | ||
| own plugins working, it is their responsibility to liaise with the | ||
| other members of the team to import the other plugins. Each team | ||
| member should create a fork of the repositories of each of their | ||
| team-mates, integrate their plugins and submit a pull-request for each | ||
| fork. If using branches, then each team member can merge into their | ||
| branch from either the master (if any system changes are made) or from | ||
| other users' forks (to incorporate their plugins). | ||
|
|
||
| If using forks, with team members being A, B, C and D, they will have | ||
| one fork to start with in which the team collaborates on defining the | ||
| basics. Then A will create a personal fork of the shared repository | ||
| and work on their tool and plugins. When they're done, they will | ||
| create forks from their team-mate's repositories. Let's call them | ||
| LEAP-B, LEAP-C and LEAP-D. A will then port their plugins to each of | ||
| these new forks and submit pull requests for them to be merged into | ||
| the repositories of their teammates. | ||
|
|
||
| ## Why? | ||
|
|
||
| This might seem overly complex, but it's not. In reality, this is one | ||
| of the common ways people collaborate using git. You can fork any | ||
| public project and work on your own copy without needing to ask | ||
| permission or get added to the original repo, then if you want to | ||
| recommend your changes to the original author you create a pull | ||
| request and they can decide to merge it into their work or not. | ||
|
|
||
| In this project you will be getting experience of working on a project | ||
| and receiving multiple pull-requests from contributors and at the same | ||
| time, contributing to the repositories of others. | ||
| #### fileInfo | ||
| **Author: Ben Roxbee Cox** | ||
| Will enumarate the file system to gather information on file permissions, if any potentially sensitive files can be read, if the user can read files from other users etc. It will also check for SUID files that could be exploited. | ||
| #### networkInfo | ||
| **Author: Omar Alhendi** | ||
| A plugin to gather network infomration such as IP address, MAC address, the name of the WiFi the target is connected to. | ||
|
|
||
| #### devProgs | ||
| **Author: Omar Alhendi** | ||
|
|
||
| ## Priv-Esc | ||
| ### Windows | ||
|
|
||
| ### Linux | ||
| #### SUID Exploiter | ||
| **Author: Ben Roxbee Cox** | ||
| This is an exploit which searches for SUID Files on the host system and checks them against a large dictioary or known vulnerable SUIDs, and safe SUIDs. It them catagorises the Unexploitable, Possible exploitable and Definitely exploitable. If there is an SUID with an entry on GTFObins then it links to the GTFObins page, If it finds an SUID with a known easy exploit it runs the exploit and drops into a shell. | ||
|
|
||
| #### Docker Exploiter | ||
| **Author: Ben Roxbee Cox** | ||
| This plugin is a Linux Docker exploiter. It requires the current user to be a member of the "docker" group. This exploit leverages the fact that that Docker essentially runs as root, and so a member of the docker group can mount the root file system inside a docker container and operate as the root user via the docker container. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,124 @@ | ||
| Picking GitHub | ||
|
|
||
| Define function naming convention | ||
|
|
||
| winEnumUsers | ||
|
|
||
| linEnumUsers | ||
|
|
||
| Choose file tree | ||
|
|
||
| All program will be in /src/ directory | ||
|
|
||
| Sub directory for each Windows and Linux | ||
|
|
||
| Enumeration script in base /src/ | ||
|
|
||
| Enumeration Plugins will be in one file | ||
|
|
||
| Each plugin will have its own class | ||
|
|
||
|
|
||
|
|
||
| Who writes what documentation | ||
|
|
||
| User guide - Oliver | ||
|
|
||
| Introduction - Omar | ||
|
|
||
| Decisions - Andrei | ||
|
|
||
| The plugins - Ben | ||
|
|
||
| Make Your own name | ||
|
|
||
|
|
||
|
|
||
| Choose plugins to write | ||
|
|
||
| Windows | ||
|
|
||
| Oliver | ||
|
|
||
| Check if admin | ||
|
|
||
| Applications & Services | ||
|
|
||
| Files Info | ||
|
|
||
| Priv Esc - Research exploit | ||
|
|
||
|
|
||
| Andrei | ||
|
|
||
| Network Info | ||
|
|
||
| Host Info | ||
|
|
||
| Priv Esc - Research exploit | ||
|
|
||
| Linux | ||
|
|
||
| Ben | ||
|
|
||
| Check if root | ||
|
|
||
| Cron jobs | ||
|
|
||
| Priv Esc - SUID & Docker | ||
|
|
||
| Files Info | ||
|
|
||
| Omar | ||
|
|
||
| Network Info | ||
|
|
||
| Host Info | ||
|
|
||
| Applications & Services | ||
|
|
||
| Priv Esc - Possible angry cow | ||
|
|
||
|
|
||
|
|
||
| PLEASE ASK IF YOU GOT QUESTIONS | ||
|
|
||
|
|
||
|
|
||
| Meet next after James' Session on Wednesday | ||
|
|
||
|
|
||
| =============================================================================================================== | ||
|
|
||
| ## Update 25/11/2020 | ||
|
|
||
| - Oliver : Started Admin check | ||
| - Andrei : | ||
| - Omar : Done intoduction & Finished Enumerations | ||
| - Ben : Finished Enumerations & Priv Esc. Ready for port plugins | ||
|
|
||
| Meeting Thursday at 8PM | ||
|
|
||
| ================================================================================================================ | ||
|
|
||
| ## Update 26/11/2020 | ||
|
|
||
| - Oliver : Started on Enums, Enums will be finished for Friday eve | ||
| - Andrei : Starting enums & Finished documentation. Should be finished for Saturday | ||
| - Omar : Finished host enums, SUID privesc finished | ||
| - Ben : Finished all programming : Ready to port plugins | ||
|
|
||
| Ben & Omar to port plugins now. | ||
|
|
||
| ======================================================================================= | ||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|